Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Buzzy's Roast Beef writes "The Boston Globe reports that bundles of newspapers in Worcester, MA were distributed wrapped in paper which contained subscriber credit card information for 240,000 customers. Those of you paying by check needn't worry; account and routing details for 1,100 customers paying by check were also given out like candy." From the article: "Larkin said the newspapers were first notified of the security breach on Monday by a clerk at a Cumberland Farms store. It took until late Monday for officials to confirm the data on the back of the paper were credit and debit card numbers. Senior management learned of the security breach yesterday morning, Larkin said. The company put out a news release late yesterday afternoon."

It should be a no brainer that financial information (not just credit cards) can only be access by the finance department, and any waste paper in the finance department must be disposed of by professional data destruction companies.

The article explained the mistakes, which were caused by aborted print jobs, only those printed documents were in the bin for recycling!

At least the the newspapers have now added a safeguard to the computer system so only the last four numbers of credit and debit cards can be printed.

Circulation and accounting are connected like two wrestling squid. Every night a whole series of jobs are run referencing all kinds of billing information to determine whose subscriptions are paid up to the point where they qualify to get a paper in the morning. So all the customer card/account numbers are processed by the circulation side, and sent in cash batches to accounting.

So you see there is a financial subset inside circulation that deals with that billing info, which is why they have access to it. The reason it doesn't go straight to accounting is because, in most papers, accounting deals almost exclusively with advertising revenue and billing, which is a lot more complex than 15 bucks a month, or whatever the news subscription rate is, which gets billed automatically.

All that being said, it took some kinda dumbass to dump that info out on the toppers, and a whole crew of dumbasses down the line to attach that information to the paper. Most places don't put anything like personal information on the toppers for papers they're distributing, so it should have been obvious to anyone that there had been a mistake...There are a LOT of people who should have noticed something was wrong.

I think a couple of wrestling squid managing the billing and circulation might explain why the Boston Globe was unable to deliver the paper to me when I was a subscriber, and started leaving them on my doorstep whenever I cancelled my subscription (and not just one time).

That happens a lot actually. They don't pay carriers very much, and it's a pretty sucky job. It can take 'em a week to figure out they're supposed to be throwing a paper to your house, and then another week to figure out they're NOT.

If you can't raise the salary...Your corporate management is a bunch of money grubbing assbandits who are out for nothing but lining their own pockets...
And how is that different from "Your business model is broken."

Just in case you're not trolling, I'll bite. Mismanagement is running an industry (print media) that regularly sees 20-30% profit margins (on par with drug companies), and claiming, at the same time, that money is too tight to pay carriers mileage that covers gas prices, or to employ a staff anywhere near the size it would take to produce a first rate product.

No - mismanagement would be paying more than the market (apparently) bears. So if people are willing to deliver papers at a net loss to themselves, that's not really the companies problem is it? If there's mismanagement in what you're describing it's the carriers for working the contract... If enough leave, the company will be forced to raise the pay... yada yada yada economics 101.
Capitalism isn't about paying what you can afford to: it's about maximising profits. This is achieved by some combination of

I work at a newspaper and know exactly what you are talking about, the accounting-circulation connection (hence the department name "Circulation Accounting") but I'm surprised to hear that the full card numbers were distributed. I would assume that only the most inside of people, because computers handle all of the transactions, could access that information.For example, whenever a card number is typed into the database and updated it will only show the last four digits to any human. I would assume Circulat

Yea...I have to agree. I have access to the card numbers where I work, and I know off the top of my head the other 4 people who could call up any number they wanted to. There are only two here who could even generate a list like that, me and my opposite number in accounting.

Definitely seems fishy. What the hell are they doing with their cc numbers there?

Exactly, I'm off in the telemarketing department doing collections and so forth and I can't even give the card number to the customer. But for obvious reasons right? The fact that this list exists (say that out loud) makes me wonder wtf really happened.

Circulation and accounting are connected like two wrestling squid. Every night a whole series of jobs are run referencing all kinds of billing information to determine whose subscriptions are paid up to the point where they qualify to get a paper in the morning. So all the customer card/account numbers are processed by the circulation side, and sent in cash batches to accounting.

So you see there is a financial subset inside circulation that deals with that billing info, which is why they have access to i

I'm not explaining the billing system, I'm just saying why the numbers are available at all.

The way it works here is pretty similar to what you're talking about. Each customer has a unique ID. Now somewhere in the system that ID is connected to their credit card number (if they pay with it), but that part is never accessed by any reporting features. It's just sourced every time a billing request is generated by a weekly billing job in another part of the system. That job runs a charge on the card, and marks down the payment in another area, referenced by the customer ID and containing the date, amount, and transaction ID.

There are two people here who have a high enough level of access to the system to write a report that would merge credit card and user data in a printable form. There are maybe three others who could look up any card they chose, but they couldn't generate any kind of report containing multiple cards. All the printers connected to that system are in a physically secure area.

Basically we never do anything with the credit card number but generate billing with it. It's on no reports. Why would it be? What legitimate use is the credit card number to anyone except the authorized user? I passed the article around down here in the basement, and we all had a good laugh about it (first time we've been happy not to be the globe...heh), and none of us can even IMAGINE a scenario where printed lists of credit cards would be useful for any legitimate purpose.

Honestly, and I work in the business, I can't even imagine one. We store all that data, but there is no commonly run report that prints it out. There isn't any point in it.

If you pay by credit card with autopay, or similar, when your subscription is up, the system charges your card. It goes straight to the bank. It's not even a special job...Purely automated. The $$$ amount shows up on the batch report the next day, along with your name and subscriber ID and NOT your credit card number, because it would just be one more thing you don't need to look at on an already crowded report.

At the same time, if someone is paying by check, as opposed to having the money automatically debited from their account every day, we don't KEEP the routing number...Why would anyone? We just keep the check authorization number. With that, you can get the routing number if you need it, for whatever reason, later.

> For legal reasons one must still be able to present data in a form> counsel can use in a trusted and secure method.I can understand that for certain legal -purposes- this may be necessary. Is is strictly necessitated by law, however? Federal or state?

For security reasons, many firms don't store the credit card numbers after processing the transaction (obviously, doesn't apply to any regularly repeated transactions/subscriptions).

I worked for a credit company some years ago, and even with terminals at every desk, there were still reports (some massive) that were delivered to various departments. I'm guessing it was because the storage requirements to manage all that data may have been something on the "very expensive" side. It may have also had to do with the software not being able to access it- companies typically produce reports that make sense to their particular operation. Accessing that same data online, however, is another ma

Everyone is angry with the Globe for this... but what about the credit card companies? I mean, is this 1950? It would be (today) relatively simply to tie a unique number to a person+business for payments. So even if this number got out, it would be useless to anyone but the merchant.
imho, accepting a public number as a payment is irresponsible.
One implementation:

No business is alowed to or able to store credit card numbers - the swipe-machine doesn't pass it out.

Are you kidding? Do you know how much cheaper it would be to subscribe to these bird cage liners than it would be to purchase 240,000 credit/debit card accounts on the black market? The ROI seems pretty high to me!

The real solution to the problem is to never get a credit card. Turn off external access to your checking account at your bank.. use cash.. the real currency, not the made up tender called credit.. you will also have much more cash in your pocket.. I applaud giving out the numbers.. perhaps more people will cancel their cards.. and lock their bank accounts..

I thought this was one of the best reasons to have a credit/debit card. Get mugged? Well they only walked away with what cash was in the wallet, and you never need much in your wallet except when you are planning on making a large purchase or many purchases in cash.

You can go ahead and use your "real" currency. Go ahead and lose it, have it stolen, and not use it for internet transactions.

I'll use my credit card, use it on the internet, not worry about losing it, or someone else stealing it and using it. I'll let someone else handle pain in the ass merchants for me. And I'll pay my bill in full every month. And the credit card companies will give me free money for doing so.

I thought it was because, many moons ago, they used to call my home number on an almost weekly basis asking me if I wanted to subscribe. This was before the DNC list. I asked them to remove me, and they said it was some random dialer thing that they couldn't blacklist numbers or something.

The Globe and T&G financial information was inadvertently released when print-outs with the confidential information were recycled for use as ''toppers" for newspaper bundles. A topper, placed on top of a bundle of newspapers, is inscribed with the quantity of papers in each bundle and the carrier's route number.

Most times people leave the bundle toppers on top of the bundle when they toss 'em outta the truck at the drop point...Like, for example, your local gas station, grocery store, doughnut shop, whatever.

not to mention jimmy, the neighboorhood newspaper delivery boy, who's getting paid peanuts to deliver these things.. and even if he gets caught using these card number fraudulently is highly unlikely to be tried as an adult, given the circumstances.

we wrapped your ordinary news inside a layer of credit card data. then we wrap it in the carbon paper used to xerox your Social Security numbers. but we're not done yet! first we add another layer built out of investigative photographs of the inside of subscribers' homes, then we add on a layer of DNA samples from each household, and finally wrap all that in a 5-year credit history of the highest profile household from each neighborhood. you can't get news th

about 6 years ago I worked on a web site for a UK mail order company.The main business had run for many years on massive mainframes, but being otherwise 100% mircosoft (they had a free unlimited licencing agreement) we used ISS and MS Commerce server for the web).It was not utill I realised that complaints about web orders were taking so long to cancel that I realised that at the end of the day each order from the web was being printed out and manually typed into the mail order system.Things started getting

The newspapers will turn over the card numbers of subscribers who may have been affected to the companies upon request. As of last night, Mastercard and Visa have asked for the details. The newspapers are doing the same thing with banks of customers who may be affected.

They will only turn the numbers over upon *request* and only MC and Visa have requested it? WTF?!

Maybe it all fits. Maybe a subscriber would want a new card after their Visa # is everywhere they want to be.

And please tell me there's some kind of criminal statute being violated here. The idea that those numbers would need to ever be printed out en masse is ridiculous; the process of letting those printouts get into the real world is grossly negligent.

This happens so often, and it is not really surprising. What makes me sad is that there is a much safer way that this could be handled. Rather than giving out credit card numbers your card number being stored by everyone who want's to bill you in a recurring manner the card could instead be a private key, and used to sign a transaction statement. (or even a recurring transaction statement) That way when someone at megaCorp screws up and leaks all of there users CC data all that goes out are a bunch of "I wi

Are there laws for things like this? I've heard of local companies having breaches, and all that comes of it is "oops, sorry. call us and call your credit card companies". shouldn't there be some sort of legal obligation for companies leaking/releasing this information? i don't know anything about health care, but aren't records there kept very confidential? aren't there fines and/or penalties for releasing patient information? shouldn't consumer information be treated the same way?

This sort of thing just makes me weap. I don't know which is worse, this one because a newspaper pushed credit card data out to a bunch of its users, or the ameriprise one http://www.nytimes.com/2006/01/26/business/26data. html [nytimes.com] because you would think that american exspress would be more carefull, after all it is there job.

From the article on American Exspress:

[American Exspress Lost] included the names and Social Security numbers of about 70,000 current and former financial advisers and the names and inter

We recycle a lot of paper, but we don't recycle it BACK INTO THE PRINTER. If nothing else, those high capacity laser printers have a tendency to jam on paper that's already been printed on, and if some motherf***er calls me at 3:30 in the morning because his motherf***ing toppers didn't get printed because some moron loaded the printer with crap paper, trying to save 5 bucks, I would be homicidal.It's such a major screwup, it's hard for me to see how it couldn't have been done at least partly on purpose. Ho

Blow me, not only did I read it, I passed it around the office where we read parts of it aloud to each other and laughed. THERE IS NO REASON THOSE NUMBERS SHOULD HAVE EVER BEEN PRINTED OUT. I don't care WHAT kind of hung jobs they had.If I walked into the printer room and found someone printing out lists of credit card numbers he'd be fired, and THAT is only if I thought it was some kinda mistake. If I thought anything else, I'd have his ass arrested.

Jesus Christ on a pogo-stick... you don't "recycle" some things.
Put a cardboard box in each work area that deals with sensitive information for printouts like this, then collect it and effectively shred it. How hard is this?

I woke up this morning to read that the Globe (which I subscribe to) was plastering my CC number all over the place.. Called their "hotline" which was busy all morning (.5million subscribers, one number, you do the math). Finally got through after lunch and was on hold for 1/2 hour to find out that my name was on the leaked list.

So I had to cancel my card and get a new one.

It's too bad the Herald is such a rag or I'd drop my subscription today. Maybe I will anyway and just get my news off the web like everyone else.. but I so love to curl up with my coffee and paper on sunday mornings...

This takes irresponsible to a whole new level. Any company in thier right mind should have shredders/chippers in thier finance department for any waste paper.

Since having your identity stolen is so difficult to recover from I think anyone that has had thier info. sent out should sue if thier identity is stolen. Then the company gets to pay for the next five years of credit cleanup for the person.

Wait, I thought credit card mis-haps & other sources of fraud and identity theft, only occurred on the Internet. Seriously, it's bad enough we have to spend 20% of our lives shredding our old financial data, but to have a 'supposedly' responsible organization make it all for not?Worse still, we've now found out (in a round-a-bout fashion) that they been 'recycling' these credit card 'reports'. So that means for countless years, the people have just been 'giving' private/confidential/sensitive informat

I recently got a CD from H&R block to use when doing my taxes. Turns out that H&R accidentaly printed my social security number on the mailing label along with a string of other 'tracking numbers'. They sent a letter appologizing about it and saying that it had happened to a number of their customers. I still wonder why the shipping/printing department at H&R Block would have access to social security numbers at all.

That's because your social security number is a general purpose number used to identify you from everyone else, and is highly unlikely to be duplicated by another person. The fact that it was used on your mailing label is so that they can have all the tracking information. The others are probably non-identity specific (region, income level, marital status, sexual preference, etc.).What you should be wondering is why it's not illegal for anyone but the social security administration to use your number for an

Ah, but what if you got in their system twice, say with a misspelling of an address or middle name? Then you'd have two id numbers, and the world would end (well, at least from the view of the marketing department). SSNs avoid that, and there's no having to mess with being careful - the governement does the job for them (in most cases).

Then you'd have two id numbers, and the world would end (well, at least from the view of the marketing department). SSNs avoid that, and there's no having to mess with being careful - the governement does the job for them (in most cases).

It really is this pathetic - it is like their IT department (or whoever maintains there DB systems) have never heard of a "merge" utility. Yes, such a utility does need to be run and verified by a human, but hopefully the system can detect when there are possible duplicate

My wife got one of these TaxCut CDs, too. The letter (which arrived a week or two before the CD) said the SSN would be "embedded in a very long string of digits" or something, so "don't worry, no one will ever suspect it's your SSN"...but in reality it was just something like "AB333224444" or something.

That's it. I'm just writing my credit card numbers & expiry dates, passwords and PINs on stickies and leaving them on my monitor and in my wallet. That's about equally as secure as giving them to any company these days...

In addition to the phone number that other people have posted, there's a website (no hold time) that you can check to see if you've been exposed. You'll need to supply your home phone number and zip code:

it asks for your phone number and zip code. Next thing you know, your phone will be swamped with unsolicited commercial offers to acquire lists of valid credit card numbers and the corresponding phone number/zip codes to come with them.

How very helpful of the Boston Globe to give me a free reverse lookup of listed and unlisted numbers in the Massachusetts area (or at least, free reverse lookup of the few remaining subscribers). Clueless fucks.

I am continually amazed that these big corporations lose credit card, ssn, and other personal data all the time. Why were these card numbers printed in the first place? Why was the paper recycled or reused and not shredded or professionally destroyed?They should be required by law to keep the data secure. I would propose the following requirements:

- Credit card and personal inforomation must be stored encrypted or not stored at all.- Any machines containing cardholder data should be fully equipped with

Just like its corporate parent, the New York Times, the Boston Globe is hemorrhaging readers. Their politics are left wing, they supported Kerry and all the other moonbats. They continue to telemarket randomly even though my number is on the "do not call" list. I've filed a complaint with the FTC about this.
That they would be so cavalier about personal information doesn't surprise me. The paper sucks, the management sucks, and they should be euthanized. That's what they do to old horses; the Globe is an o

I used to work for a reasonably large computer retail chain. (Not a mom-and-pop strip mall store, mind you, this is a considerably large, multi-state chain.) Until about 6-7 years ago (jeez... has it been that long?) we used to print the customer's credit card number on EVERY receipt in its entirety, including the expiration date. Then we threw the duplicate receipts away in the dumpster. I don't specifically know if any of our customers ever got ripped off, but it was a pretty boneheaded thing to do. Final